Add UPnP support

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2031 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-04-08 18:07:58 +00:00
parent 1180175379
commit c5949a0119
5 changed files with 125 additions and 5 deletions

View File

@ -12,6 +12,10 @@
# #conntrack state. # #conntrack state.
# allowInvalid #Accept packets that are in the INVALID # allowInvalid #Accept packets that are in the INVALID
# #conntrack state. # #conntrack state.
# allowoutUPnP #Allow traffic from local command 'upnpd'
# allowinUPnP #Allow UPnP inbound (to firewall) traffic
# forwardUPnP #Allow traffic that upnpd has redirected from
# #'upnp' interfaces.
# #
#ACTION #ACTION

View File

@ -1,3 +1,7 @@
Changes in 2.2.4
1) Added support for UPnP
Changes in 2.2.3 Changes in 2.2.3
1) Added the 'continue' extension script. 1) Added the 'continue' extension script.

View File

@ -937,7 +937,7 @@ validate_interfaces_file() {
for option in $options; do for option in $options; do
case $option in case $option in
dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|-) dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-)
;; ;;
detectnets) detectnets)
[ -n "$wildcard" ] && \ [ -n "$wildcard" ] && \
@ -3473,7 +3473,8 @@ merge_levels() # $1=level at which superior action is called, $2=level at which
# #
process_actions1() { process_actions1() {
ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid" ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP allowoutUPnP forwardUPnP"
USEDACTIONS= USEDACTIONS=
strip_file actions strip_file actions
@ -3544,6 +3545,15 @@ process_actions1() {
process_actions2() { process_actions2() {
local interfaces="$(find_interfaces_by_option upnp)"
if [ -n "$interfaces" ]; then
if ! list_search forwardUPnP $USEDACTIONS; then
error_message "Warning:Missing forwardUPnP rule (required by 'upnp' interface option on $interfaces)"
USEDACTIONS="$USEDACTIONS forwardUPnP"
fi
fi
progress_message " Generating Transitive Closure of Used-action List..." progress_message " Generating Transitive Closure of Used-action List..."
changed=Yes changed=Yes
@ -3695,6 +3705,26 @@ process_actions3() {
run_iptables -A $xchain -m state --state INVALID -j ACCEPT run_iptables -A $xchain -m state --state INVALID -j ACCEPT
fi fi
;; ;;
forwardUPnP)
;;
allowinUPnP)
if [ "$COMMAND" != check ]; then
if [ -n "$xlevel" ]; then
log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p udp --dport 1900
log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p tcp --dport 49152
fi
run_iptables -A $xchain -p udp --dport 1900 -j ACCEPT
run_iptables -A $xchain -p tcp --dport 49152 -j ACCEPT
fi
;;
allowoutUPnP)
if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain allowoutUPnP ACCEPT "" "$xtag" -A -m owner --owner-cmd upnpd
run_iptables -A $xchain -m owner --cmd-owner upnpd -j ACCEPT
fi
;;
*) *)
# #
# Not a builtin # Not a builtin
@ -6290,6 +6320,20 @@ add_common_rules() {
run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface) run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface)
done done
fi fi
#
# UPnP
#
interfaces=$(find_interfaces_by_option upnp)
if [ -n "$interfaces" ]; then
echo "Setting up UPnP..."
createnatchain UPnP
for interface in $interfaces; do
run_iptables -t nat -A PREROUTING -i $interface -j UPnP
done
fi
setup_forwarding setup_forwarding
} }
@ -6387,7 +6431,9 @@ activate_rules()
# are inserted before jumps to one-to-one NAT chains. # are inserted before jumps to one-to-one NAT chains.
# #
addrulejump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments addrulejump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments
{ { interfaces=$(find_interfaces_by_option upnp)
local sourcechain=$1 destchain=$2 local sourcechain=$1 destchain=$2
shift shift
shift shift
@ -6402,7 +6448,7 @@ activate_rules()
fi fi
} }
# #
# Add jumps to early SNAT chains # Add jumps to early SNAT chains
# #
@ -6697,6 +6743,7 @@ define_firewall() # $1 = Command (Start or Restart)
echo "Initializing..."; initialize_netfilter echo "Initializing..."; initialize_netfilter
echo "Configuring Proxy ARP"; setup_proxy_arp echo "Configuring Proxy ARP"; setup_proxy_arp
echo "Setting up NAT..."; setup_nat echo "Setting up NAT..."; setup_nat
echo "Setting up NETMAP..."; setup_netmap echo "Setting up NETMAP..."; setup_netmap
echo "Adding Common Rules"; add_common_rules echo "Adding Common Rules"; add_common_rules

View File

@ -167,6 +167,8 @@
# detectnets - Automatically taylors the zone named # detectnets - Automatically taylors the zone named
# in the ZONE column to include only those # in the ZONE column to include only those
# hosts routed through the interface. # hosts routed through the interface.
# upnp - Incoming requests from this interface may
# be remapped via UPNP (upnpd).
# #
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR # WARNING: DO NOT SET THE detectnets OPTION ON YOUR
# INTERNET INTERFACE. # INTERNET INTERFACE.

View File

@ -1,4 +1,67 @@
Shorewall 2.2.3 Shorewall 2.2.4
-----------------------------------------------------------------------
Problems corrected in version 2.2.4
None.
-----------------------------------------------------------------------
New Features in version 2.2.4
1) Support has been added for UPnP using linux-igd
(http://linux-idg.sourceforge.net). UPnP is required by a number of
popular applications including MSN IM.
WARNING: From a security architecture viewpoint, UPnP is a
disaster. It assumes that:
a) All local systems and their users are complete
trustworthy.
b) No local system is infected with any worm or trojan.
If either of these assumptions are not true then UPnP can
be used to totally defeat you firewall and to allow
incoming connections to arbitrary local systems on any port
whatsoever.
In short: USE UPnP AT YOUR OWN RISK.
WARNING: Building and installing linux-igd is not for the faint of
heart. You must download the source from the CVS and be
prepared to do quite a bit of fiddling with the include
files from libupnp (which is required to build and/or run
linux-igd).
linux-idg Configuration:
In /etc/upnpd.conf, you will want:
insert_forward_rules = yes
prerouting_chain_name = UPnP
forward_chain_name = forwardUPnP
Shorewall Configuration:
In /etc/shorewall/interfaces, you need the 'upnp' option
on your external interface.
If your fw->loc policy is not ACCEPT then you need this
rule:
allowoutUPnP fw loc
If your loc->fw policy is not ACCEPT then you need this
rule:
allowinUPnP loc fw
You MUST have this rule:
forwardUPnP net loc
You must also ensure that you have a route to 224.0.0.0/4 on your
internal (local) interface.
----------------------------------------------------------------------- -----------------------------------------------------------------------
Problems corrected in version 2.2.3 Problems corrected in version 2.2.3